This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: ipchains question From: "Paul Smith" <pauls@SCCWRP.ORG> Date: Fri, 28 Jul 2000 07:34:05 -0700 Hello all, What is the basic ipchains command that allows internal computers to make use of a redhat 6.2 machine gateway for browsing the internet. I've been playing around with ipchains using different commands, but don't seem to beable to get my internal machines to browse the internet. I've read the Howto and man pages, but I just want to get my internal machines browing first before I even move onto tightening security and such. My ethernet cards are working, I can ping off both ends (outside onto the internet and internally to clients). My internal client machines have private ipnumbers, same subnet as internal gateway card, my isp dns numbers are in place. Am I missing something? Do the network cards need to be lined up a certain way (internal eth0, external eth1 is how I have it now)? Ipchains is set up, I can issue commands and then delete the chains. I have even got it to block ping packets, but no browsing seems to work from my client ends. Do I have to give the browsers on my internal machines port numbers, or is the gateway configuration enough? === Subject: RE: ipchains question From: "Burke, Thomas G." <thomas_g_burke@md.northgrum.com> Date: Fri, 28 Jul 2000 10:28:26 -0400 Do you have a routable internal network, or are you using masquerade? === Subject: RE: ipchains question From: "Czerlinsky, Tim B" <tim.czerlinsky@unisys.com> Date: Fri, 28 Jul 2000 09:36:33 -0500 be sure you have your RouteD enabled in Linuxconf, and with your setup, it sounds like you have to have masquerading setup also. I had the same prob with my server when I first got it setup, those 2 settings took care of everything. They do have a great progoram, called PMFirewall, which is available at http://www.pointman.org/PMFirewall/. I use it on my server, have not had any problems with it. It's run from the command line, but it is a wizard of sorts. It will setup your masquerading & firewall, and it will prompt you for what ports you want to leave open, and what you want to close. It only takes a few minutes to get it up & running, works great. That is cheating however, since your not doing your scripts yourself. ;) === Subject: Re: ipchains question From: "Paul Smith" <pauls@SCCWRP.ORG> Date: Fri, 28 Jul 2000 07:53:15 -0700 I am under the impression that if I am using dsl, with a static ip address I can use a redhat machine with ipchains and two network cards to allow multiple internal machines to use that one redhat machine (gateway) for browsing the internet. I suppose that I am trying to use masquerade. === Subject: RE: ipchains question From: "Burke, Thomas G." <thomas_g_burke@md.northgrum.com> Date: Fri, 28 Jul 2000 11:05:18 -0400 Here's a copy of my rc.firewall... This should set up ipmasq, & a halfway decent firewall at the same time... If anyone sees anything they don't like about this, please pipe up & let me know what you think I aught to be doing differently... #!/bin/sh # # ############################################################################ # # rc.firewall # Heavily plagiarized from Hal Burgiss (hburgiss@bellsouth.net) # # Tom Burke - 5 May 00 (tomii@erols.com) # ############################################################################ # # variables # # internal interface INTERNAL_IF=eth0 INTERNAL_IP=192.168.68.1 INTERNAL_MASK=255.255.255.0 INTERNAL_NET=$INTERNAL_IP/$INTERNAL_MASK # # # external interface EXTERNAL_IF=ppp0 # # These lines for dynamic IP # EXTERNAL_IP=`ifconfig $EXTERNAL_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1` # EXTERNAL_MASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4` # EXTERNAL_IP=209.122.117.221 EXTERNAL_MASK=255.255.255.0 EXTERNAL_NET=$EXTERNAL_IP/$EXTERNAL_MASK echo -n "External net -> " echo $EXTERNAL_NET # # # Loopback Interface LOOPBACK=lo # # # All addresses ALLADDR=0/0 # # # location of ipchains IPCHAINS=/sbin/ipchains # # # ############################################################################ ## # We assume that all interfaces are up... # Maybe this should be run in the PPP sartup script? # # First, we flush all rules echo -n "Flushing all rules" # # Flush empty chains $IPCHAINS -X echo -n "." # # Flush Incoming rules (packets from the outside network) $IPCHAINS -F input echo -n "." # # Flush Outgoing rules (packets from the internal network) $IPCHAINS -F output echo -n "." # # Flush forwarding rules (masquerading stuff, etc) $IPCHAINS -F forward echo -n "." echo "Done!" # ############################################################################ # # # Handle the loopback device - we should accept anything coming from # or going to this device, otherwise we'll break the system. # echo -n "Loopback.." $IPCHAINS -A input -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT $IPCHAINS -A output -i $LOOPBACK -s $ALLADDR -d $ALLADDR -j ACCEPT echo -n ".." echo "Done!" # ############################################################################ # # Different system tweaks echo -n "/proc tweaks.." # # IP Spoofing protection if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i done fi echo -n "." # # Block all ICMP echo requests (will this break my internal boxes' # ability to ping the outside world? echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo -n "." # # Disable ICMP Redirect Acceptance for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i done echo -n "." # # Disable Source Routed Packets for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done echo -n "." # # Start IP Fragment Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo -n "." # # Start ICMP Broadcast Echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo -n "." # # Start Bogus Error Response Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo -n "." # # Start SYS COOKIES protection if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi echo -n "." echo "Done!" # ########################################################################### # # Block nonroutable IPs from entering our box # # Block 192.168.0.0/16 on outer interface, only # ########################################################################### # echo -n "Blocking non-routable addresses.." $IPCHAINS -A input -s 10.0.0.0/8 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -s 127.0.0.0/8 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -s 172.16.0.0/12 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -i $EXTERNAL_IF -s 192.168.0.0/16 -d $EXTERNAL_NET -j DENY echo -n "." echo "Done!" # ########################################################################### # # Trusted networks and services # Put in rules to unconditionally allow connections from # hosts/nets that might otherwise be blocked. # # Any services that we want global, unfiltered access to # go here # # Currently, global unfiltered access is only # allowed to our internal network. # # External network (the internet) can have full access to # http, snmp, ftp, ssh, and nothing else ########################################################################### echo -n "Trusted Networks.." # # Add the internal net's unconditional access, here. echo -n "Internal Network..." $IPCHAINS -A input -i $INTERNAL_IF -s $INTERNAL_NET -d $ALLADDR -j ACCEPT # # # Stuff we want the outside world to be able to use... echo -n "Global Services..." # # http (80) $IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 80 -j ACCEPT echo -n "." # # ftp (21) $IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 20 -j ACCEPT $IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 21 -j ACCEPT echo -n "." # # smtp (25) $IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 25 -j ACCEPT # # ssh (22) $IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 22 -j ACCEPT echo -n "." echo "Done!" # # DNS # May need to enable this so MASQ'd network can do DNS lookups # to ISP's DNS machine (Seems to be working without it) #$IPCHAINS -A input -p tcp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT #$IPCHAINS -A input -p udp -s $ALLADDR -d $EXTERNAL_NET 53 -j ACCEPT # ########################################################################### # # Banned Networks # # Put troublemakers here - Rules to specifically block connections # from hosts/nets that are known to cause problems. Packets are logged. # ########################################################################### # # echo -n "Banned Networks.." # # Generic blocker/logger # $IPCHAINS -A input -l -s [banned host/net] -d $EXTERNAL_NET [ports] -j DENY # echo -n "." # # This one blocks ICMP attacks # $IPCHAINS -A input -l -b -i $EXTERNAL_IF -p icmp -s [host/net] -d $EXTERNAL_NET -j DENY # echo -n "." # echo "Done!" # $IPCHAINS -A input -l -s 64.23.24.254 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -l -s 207.110.40.160 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -l -s 209.203.36.68 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -l -s 216.3.223.49 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -l -s 216.216.57.161 -d $EXTERNAL_NET -j DENY echo -n "." $IPCHAINS -A input -l -s 209.249.182.198 -d $EXTERNAL_NET -j DENY echo -n "." # ############################################################################ # # Specific blocks/logging on external interface # # blocks off ports with known vulnerabilities # ############################################################################ # echo -n "Port Blocks and traps.." # # NetBEUI/Samba/NetBios - only on external interface # Do not log - to much traffic $IPCHAINS -A input -i $EXTERNAL_IF -p tcp -s $ALLADDR -d $EXTERNAL_NET 137:139 -j DENY $IPCHAINS -A input -i $EXTERNAL_IF -p udp -s $ALLADDR -d $EXTERNAL_NET 137:139 -j DENY echo -n "." # # Microsoft SQL - all interfaces $IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY $IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 1433 -j DENY echo -n "." # # Postgres SQL $IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY $IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 5432 -j DENY echo -n "." # # NFS # Does this block mail? $IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY $IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 2049 -j DENY echo -n "." # # Back Orifice $IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY $IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31337 -j DENY echo -n "." # # NetBus $IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j DENY $IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 12345:12346 -j DENY echo -n "." # # Trin00 $IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 1524 -j DENY $IPCHAINS -A input -l -p tcp -s $ALLADDR -d $EXTERNAL_NET 27655 -j DENY $IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 27444 -j DENY $IPCHAINS -A input -l -p udp -s $ALLADDR -d $EXTERNAL_NET 31335 -j DENY echo -n "." # # Multicast $IPCHAINS -A input -s 224.0.0.0/8 -d $ALLADDR -j DENY $IPCHAINS -A input -s $ALLADDR -d 224.0.0.0/8 -j DENY echo -n "." echo "Done!" # ########################################################################## # # All I/O rules are done(?) - set up masquerade # ########################################################################## # echo -n "Masquerading.." # # Install any helpers we might need - Our CU_SeeMe seems to # work without the cuseeme module /sbin/depmod -a > /dev/null 2>&1 /sbin/modprobe ip_masq_ftp > /dev/null 2>&1 /sbin/modprobe ip_masq_raudio > /dev/null 2>&1 /sbin/modprobe ip_masq_irc > /dev/null 2>&1 /sbin/modprobe ip_masq_icq > /dev/null 2>&1 /sbin/modprobe ip_masq_quake > /dev/null 2>&1 /sbin/modprobe ip_masq_user > /dev/null 2>&1 /sbin/modprobe ip_masq_vdolive > /dev/null 2>&1 #/sbin/modprobe ip_masq_mfw > /dev/null 2>&1 #/sbin/modprobe ip_masq_autofw > /dev/null 2>&1 #/sbin/modprobe ip_masq_portfw > /dev/null 2>&1 /sbin/modprobe ip_masq_cuseeme > /dev/null 2>&1 echo -n "." # # Masq timeouts - tcp 8hrs, tcp after fin pkt 60s, udp 10min $IPCHAINS -M -S 14400 60 600 echo -n "." # # Tell kernel to allow masquerading echo 1 > /proc/sys/net/ipv4/ip_forward echo -n "." # # Tell kernel to alow dynamic IP masquerading echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo -n "." # # Don't masq internal traffic $IPCHAINS -A forward -s $INTERNAL_NET -d $INTERNAL_NET -j ACCEPT echo -n "." # # Don't masq external interface direct $IPCHAINS -A forward -s $EXTERNAL_NET -d $ALLADDR -j ACCEPT echo -n "." # # Masq all internal IPs going outside $IPCHAINS -A forward -s $INTERNAL_NET -d $ALLADDR -j MASQ echo -n "." # # Set default rule on MASQ chain to deny $IPCHAINS -P forward DENY echo -n "." # ## Allow all connections from the network to the outside $IPCHAINS -A input -s $INTERNAL_NET -d $ALLADDR -j ACCEPT $IPCHAINS -A output -s $INTERNAL_NET -d $ALLADDR -j ACCEPT echo -n "." echo "Done!" # ######################################################################### # #This section manipulates the Type Of Service (TOS) bits of the # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled # in your kernel echo -n "Tweak TOS bits for minimum delay.." # # Set telnet, www, smtp, pop3 and FTP for minimum delay $IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10 echo -n "." # # Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08 echo -n "." echo "Done!" # # Allow outgoing ICMP echo -n "Allow outgoing ICMP.." $IPCHAINS -A output -p icmp -s $INTERNAL_NET -d $ALLADDR -j ACCEPT echo -n "." echo "Done!" # # end of firewall # ############################################################ # Allow www.dialpad.com calls echo -n "DialPad.." /usr/sbin/ipmasqadm autofw -A -v -u -r udp 51200 51201 -c tcp 7175 echo -n "." /usr/sbin/ipmasqadm autofw -A -v -u -r tcp 51200 51201 -c tcp 7175 echo -n "." echo "Done!" === Subject: Re[2]: ipchains question From: Brian Ashe <brian@dee-web.com> Date: Fri, 28 Jul 2000 11:07:12 -0400 Hi Paul, You can absolutely do as you say. You should probably try looking here first... http://members.home.net/ipmasq/ as it has a well written how-to as well as many other resources. You can skip the part in the how-to about the kernel compile, a stock Redhat kernel is set up to work. === Subject: Re: ipchains question From: Jerry Winegarden <jbw@duke.edu> Date: Fri, 28 Jul 2000 11:14:32 -0400 (EDT) On Fri, 28 Jul 2000, Paul Smith wrote: > I am under the impression that if I am using dsl, with a static ip address I > can use a redhat machine with ipchains and two network cards to allow multiple > internal machines to use that one redhat machine (gateway) for browsing the > internet. I suppose that I am trying to use masquerade. > Yes, you will use ipchains to do ip masquerade. I suggest you follow my cookbook (includes rc.firewall script,...) http://www-jerry.oit.duke.edu/linux/bluedevil/HOWTO/ipchains_howto.html === Subject: Re: ipchains question From: "M. Neidorff" <neidorff@bellatlantic.net> Date: Sun, 30 Jul 2000 10:40:33 -0400 If this is a question (I'm not sure you are asking or not), then what you say is correct. It is exactly what I am doing here. The one possible misunderstanding is that ipchains is not required to make the connection...it does security. === Subject: Re: ipchains question From: Glen Lee Edwards <GLEdwards@uswest.net> Date: Sun, 30 Jul 2000 10:55:19 -0500 (CDT) On Sun, 30 Jul 2000, M. Neidorff wrote: >If this is a question (I'm not sure you are asking or not), then what you >say is correct. It is exactly what I am doing here. The one possible >misunderstanding is that ipchains is not required to make the >connection...it does security. I could use some clarification on this: I'm in the process of installing DSL, and am going to use a Linux box as a firewall, with 2 (maybe 3) Windows machines behind it on the LAN. These are home PC's, nothing of a real sensitive nature on them, and the Windows boxes aren't set up for file or printer sharing, so no one can get in to see their files anyway. Basically what you're saying is that I can just hook up the ethernet cards, do some modifications on the Linux firewall to include the gateway IP address, allow packet forwarding, assign each ethernet card an IP address; and basically we're off? I was told that to use ipchains I have to compile ipchain support into the kernel - never recompiled the kernel, don't have a clue how to do this. === Subject: Re: ipchains question From: "Mikkel L. Ellertson" <mikkel@Infinity-ltd.com> Date: Sun, 30 Jul 2000 11:22:56 -0500 (CDT) On Sun, 30 Jul 2000, Glen Lee Edwards wrote: > On Sun, 30 Jul 2000, M. Neidorff wrote: > > >If this is a question (I'm not sure you are asking or not), then what you > >say is correct. It is exactly what I am doing here. The one possible > >misunderstanding is that ipchains is not required to make the > >connection...it does security. > > I could use some clarification on this: I'm in the process of installing > DSL, and am going to use a Linux box as a firewall, with 2 (maybe 3) > Windows machines behind it on the LAN. These are home PC's, nothing of a > real sensitive nature on them, and the Windows boxes aren't set up for > file or printer sharing, so no one can get in to see their files anyway. > > Basically what you're saying is that I can just hook up the ethernet > cards, do some modifications on the Linux firewall to include the gateway > IP address, allow packet forwarding, assign each ethernet card an IP > address; and basically we're off? > > I was told that to use ipchains I have to compile ipchain support into the > kernel - never recompiled the kernel, don't have a clue how to do this. > > Glen > > With a Red Hat kernel, it is already compiled in. (As long as it is a 2.2.x kernel. 2.0.x use ifpwadm...) Your setup is an easy one. I have a DSL setup with a static IP that is also a WEB server, and running sendmail with SPAM filtering, as well as masquarding up to 8 more machines inside the firewall. (Actualy set up to support up to 20, but I haven't tried that...) I would sugest that you consider running the Bastille script on your firewall machine to improve its security. http://www.bastille-linux.org Also, make sure you run something like logwatch, and keep a good eye on your logs, because you will have people trying to break into your machine. I get someone doing a scan at least 3 times a week. Sometimes more. === Subject: Re: ipchains question From: "ktb" <xyf@peoplepc.com> Date: Sun, 30 Jul 2000 12:16:02 -0500 Glen Lee Edwards <GLEdwards@uswest.net> wrote: > On Sun, 30 Jul 2000, M. Neidorff wrote: > > >If this is a question (I'm not sure you are asking or not), then what you > >say is correct. It is exactly what I am doing here. The one possible > >misunderstanding is that ipchains is not required to make the > >connection...it does security. > > I could use some clarification on this: I'm in the process of installing > DSL, and am going to use a Linux box as a firewall, with 2 (maybe 3) > Windows machines behind it on the LAN. These are home PC's, nothing of a > real sensitive nature on them, and the Windows boxes aren't set up for > file or printer sharing, so no one can get in to see their files anyway. > > Basically what you're saying is that I can just hook up the ethernet > cards, do some modifications on the Linux firewall to include the gateway > IP address, You need to modify your computers behind the firewall to see the firewall as the gateway. One other easy way to setup an ipchains script is pmfirewall. Download that and intall, it configures everything for you. hth, kent === Subject: Re: ipchains question From: "George Lenzer" <eno@home.stratos.net> Date: Sun, 30 Jul 2000 13:46:44 -0400 Glen Lee Edwards <GLEdwards@uswest.net> wrote: >On Sun, 30 Jul 2000, M. Neidorff wrote: > > ...These are home PC's, nothing of a real sensitive nature on them, > and the Windows boxes aren't set up for file or printer sharing, so no > one can get in to see their files anyway. Even if you had Windows file and printer sharing enabled, it wouldn't be open to the Internet behind the firewall. What you really don't want is the Linux equivalent of Windows file and printer sharing (Samba) enabled ON the firewall. That is where a hacker/kiddie could get in and do some damage (only to your firewall). with a properly secured firewall, you can use Windows file and print sharing on your internal LAN. > Basically what you're saying is that I can just hook up the ethernet > cards, do some modifications on the Linux firewall to include the > gateway IP address, allow packet forwarding, assign each ethernet > card an IP address; and basically we're off? I'm not sure EXACTLY what you meant above, but I will try to clarify... You will need to have two NICs in your Linux box to do IP Masq. One NIC will connect to your DSL service and will either be set up with a static IP (if your provider assigned you one) or... wil be set up with DHCP if that is what your provider uses. The other NIC will connect to you LAN hub or switch. This NIC should be assigned a static IP within your network. For example, I use the 192.168.1.0 network. My firewall is 192.168.1..1. Finally, all of your windows machines would need to have their gateway setting set to the IP addres of the NIC connected to your hub. In my case, all of my internal machines have a gateway address 192.168.1.1. > I was told that to use ipchains I have to compile ipchain support > into the kernel - never recompiled the kernel, don't have a clue how > to do this. You shouldn't have to do this with the stock kernel that comes with RedHat 6.2, it is already compiled in. ipchains sets up the NAT (Network Address Translation) rules for the kernel's packet filter. If you WANT to run any servers behind the firewall that you want accessible to the outside world, you will need to use ipmasqadm in addition. My advise to you if you are setting up a firewall for DSL is to make sure that you are running as close as possible to no services on the box. Disable telnet, http, pop3, imap, smtp, samba, ftp, finget, talk, etc... At the very least, edit your /etc/hosts.deny file to ALL:ALL and your /etc/hosts.allow to ALL:LOCAL 192.168.1. This will only allow your internal LAN access to the services on your firewall and deny most intruders from outside. ===